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FOREWORD 


In  some  ways,  the  cyber  domain  is  quite  different 
from  the  traditional  operational  domains  of  air,  land, 
sea,  and  space.  Cyber  threats  are  stealthy  and  diffi¬ 
cult  to  attribute;  critical  infrastructures  are  difficult  to 
defend  against  unseen  and  unpredictable  adversaries. 
The  2011  Department  of  Defense  (DoD)  Strategy  for  Oper¬ 
ating  in  Cyberspace  was  a  significant  policy  statement 
for  publicly  embracing  cyberspace  as  an  operational 
domain  and  declaring  a  number  of  strategic  initia¬ 
tives  to  maintain  U.S.  security  in  the  face  of  emerging 
cyber  threats.  In  this  monograph,  Dr.  Thomas  Chen 
explains  the  strategies  as  they  have  evolved  from  pre¬ 
vious  national  strategies  and  examines  each  strategy 
critically  for  clarity,  comprehensiveness,  and  novelty. 

This  monograph  contributes  to  an  important  ongo¬ 
ing  dialogue  about  current  policy  and  addresses  the 
question.  How  should  the  cyber  domain  be  managed 
so  as  to  protect  U.S.  assets  and  interests?  According 
to  the  DoD  Strategy,  defense  will  depend  on  novel 
operating  concepts;  partnerships  between  govern¬ 
ment  and  industry;  international  partnerships  with 
allies;  and  investment  in  cyber  training  and  research 
and  development.  But  does  the  DoD  Strategy  go  suf¬ 
ficiently  far  enough  to  ensure  U.S.  superiority  in  the 
cyber  domain?  The  cyber  threat  landscape  is  con¬ 
stantly  evolving,  therefore,  it  is  important  to  continu¬ 
ally  revisit  the  national  strategy  and  ask,  as  in  this 
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monograph,  whether  the  national  strategy  is  ade¬ 
quately  meeting  existing  and  emerging  challenges. 

DOUdLAS  C.  LOVELACE,  JR. 
Director 

Strategic  Studies  Institute  and 
U.S.  Army  War  College  Press 
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SUMMARY 


In  July  2011,  the  U.S.  Department  of  Defense  (DoD) 
issued  the  DoD  Strategy  for  Operating  in  Cyberspace.  It 
outlines  five  strategic  initiatives: 

1.  Treat  cyberspace  as  another  operational  domain; 

2.  Employ  new  defense  operating  concepts  to  pro¬ 
tect  DoD  networks; 

3.  Partner  with  other  U.S.  government  agencies 
and  the  private  sector; 

4.  Build  relationships  with  U.S.  allies  and  interna¬ 
tional  partners  to  strengthen  cyber  security;  and, 

5.  Leverage  the  national  intellect  and  capabilities 
through  cyber  workforce  training  and  rapid  techno¬ 
logical  innovation. 

This  monograph  is  organized  in  three  main  parts. 
The  first  part  explores  the  evolution  of  cyberspace 
strategy  through  a  series  of  government  publications 
leading  up  to  the  DoD  Strategy  for  Operating  in  Cyber¬ 
space.  It  is  seen  that,  although  each  strategy  has  differ¬ 
ent  emphases  on  ideas,  some  major  themes  recur.  In 
the  second  part,  each  strategic  initiative  is  elaborated 
and  critiqued  in  terms  of  significance,  novelty,  and 
practicality.  In  the  third  part,  the  monograph  critiques 
the  DoD  Strategy  as  a  whole.  Is  it  comprehensive  and 
adequate  to  maintain  U.S.  superiority  in  cyberspace 
against  a  rapidly  changing  threat  landscape?  Short¬ 
comings  in  the  strategy  are  identified,  and  recommen¬ 
dations  are  made  for  improvement  in  future  versions. 
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AN  ASSESSMENT  OF  THE 
DEPARTMENT  OF  DEFENSE  STRATEGY 
FOR  OPERATING  IN  CYBERSPACE 


INTRODUCTION 

Computer  networks  have  become  essential  to  the 
proper  operation  of  the  U.S.  Government  and  mili¬ 
tary.  According  to  then  Secretary  of  Defense  Robert 
Gates,  the  Department  of  Defense  (DoD)  operates 
"more  than  15,000  local,  regional,  and  wide-area  net¬ 
works,  and  approximately  seven  million  information 
technology  (IT)  devices."1  The  increasing  reliance  on 
computer  networks  has  created  opportunities  for  for¬ 
eign  nations,  terrorists,  "hacktivists,"  and  criminals. 
Government  networks  are  being  constantly  probed  for 
vulnerabilities  and  have  occasionally  been  compro¬ 
mised,  resulting  in  the  theft  of  considerable  amounts 
of  sensitive  data.  Several  intrusions  have  been 
publicly  disclosed,  including: 

•  Moonlight  Maze  involved  2  years  of  infil¬ 
trations  starting  in  1998  into  the  Pentagon, 
National  Aeronautics  and  Space  Administra¬ 
tion  (NASA),  Department  of  Energy  (DoE),  and 
affiliated  labs.  Tens  of  thousands  of  files,  includ¬ 
ing  military  maps,  U.S.  troop  configurations, 
military  hardware  designs,  and  naval  codes 
were  reportedly  compromised.  According  to 
congressional  testimony  of  James  Adams,  chief 
executive  officer  of  Infrastructure  Defense, 
Inc.,  the  stolen  information  was  "shipped 
over  the  Internet  to  Moscow  for  sale  to  the 
highest  bidder."2 

•  Titan  Rain  was  a  series  of  intrusions  starting  in 
2003  into  computer  systems  at  Sandia  National 
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Labs,  NASA,  Redstone  Arsenal  military  base, 
World  Bank,  and  various  defense  contractors. 
Military  intelligence  was  stolen,  including 
Army  helicopter  specifications,  Falconview 
(flight  planning  software),  and  aerospace 
documents.3 

•  Intrusions  into  defense  contractor  information 
systems  in  2007  and  2008  reportedly  allowed 
an  unidentified  foreign  country  to  exfiltrate 
successfully  "several  terabytes  of  data  related 
to  design  and  electronics  systems"  of  the  F-35 
Lightning  II,  an  advanced  fighter  plane.4 

•  In  March  2011,  Deputy  Defense  Secretary  Wil¬ 
liam  Lynn  admitted  that  "terabytes  of  data 
have  been  extracted  by  foreign  intruders  from 
corporate  networks  of  (unnamed)  defense 
companies."5  The  theft  involved  24,000  files 
of  data  ranging  from  specifications  for  small 
parts  on  tanks,  airplanes,  and  submarines  to 
aircraft  avionics,  surveillance  technologies,  sat¬ 
ellite  communications  systems,  and  network 
security  protocols. 

As  cyberspace  has  become  increasingly  important, 
the  U.S.  Government  has  issued  a  number  of  publi¬ 
cations  on  national  cybersecurity  strategy  leading  up 
to  the  2011  DoD  Strategy  for  Operating  in  Cyberspace. 
Some  themes  have  been  repeated  often,  such  as  a 
need  for  public-private  sector  cooperation,  reduction 
of  vulnerabilities,  more  cyber  security  training,  and 
international  cooperation.  A  summary  of  these  docu¬ 
ments  is  listed  in  the  appendix. 
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An  Evolution  of  Cyberspace  Strategies. 

In  February  2003,  President  George  Bush  issued 
the  National  Strategy  to  Secure  Cyberspace.6  It  highlight¬ 
ed  three  strategic  priorities: 

1.  Prevent  cyber  attacks  against  America's  critical 
infrastructure; 

2.  Reduce  national  vulnerability  to  cyber  attacks; 
and, 

3.  Minimize  damage  and  recovery  time  from  cyber 
attacks,  and  identified  five  critical  national  priorities: 

a.  Implement  a  national  cyberspace  security 
response  system; 

b.  Reduce  cyberspace  threats  and  vulner¬ 
abilities; 

c.  Increase  national  cyber  security  awareness 
and  training; 

d.  Secure  government  cyberspace; 

e.  Enhance  national  and  international  cyber¬ 
space  cooperation. 

The  primary  aim  of  the  strategy  was  to  improve 
cyber  security  nationwide,  not  only  government  sys¬ 
tems  but  also  critical  infrastructures  owned  by  the 
private  sector.  For  each  of  the  five  national  priorities, 
several  major  "actions  and  initiatives"  were  spelled 
out.  Among  these,  several  are  noteworthy: 

•  Encourage  public-private  partnerships  for 
cyber  incident  response; 

•  Improve  public-private  information  sharing 
involving  cyber  attacks,  threats,  and  vulner¬ 
abilities; 

•  Prioritize  federal  research  and  development 
(R&D)  in  cyber  security; 

•  Foster  training  and  education  programs  in 
cyber  security; 
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•  Strengthen  cyber-related  counterintelligence 
efforts; 

•  Improve  capabilities  for  attack  attribution  and 
response; 

•  Establish  international  partnerships  to  protect 
information  infrastructures; 

•  Establish  national  and  international  watch- 
and-warning  networks  to  detect  and  prevent 
cyber  attacks. 

Most  of  the  themes  reappear  in  the  2011  DoD  Strat¬ 
egy  for  Operating  in  Cyberspace  (e.g.,  national  and  inter¬ 
national  cooperation,  public-private  partnerships  and 
information  sharing,  reduction  of  vulnerabilities,  and 
cyber  security  awareness). 

In  2004,  the  Joint  Chiefs  of  Staff  published  the 
National  Military  Strategy  of  the  United  States  of  Ameri¬ 
ca.7  It  was  an  action  plan  for  the  Armed  Forces  to  sup¬ 
port  the  National  Security  Strategy  and  National  Defense 
Strategy.  It  emphasized  three  priorities:  fighting  ter¬ 
rorism;  enhancing  joint  warfighting;  and  transforming 
the  joint  force  to  meet  military  objectives  in  the  near 
and  far  terms.  It  notably  included  cyberspace  as  one 
of  the  domains  of  the  battlespace  along  with  air,  land, 
sea,  and  space. 

Two  years  later,  the  Joint  Chiefs  of  Staff  published 
the  National  Military  Strategy  for  Cyberspace  Operations 
(NMS-CO)  focused  specifically  on  cyber  security.8  It 
aimed  to  characterize  the  cyberspace  domain,  iden¬ 
tify  threats  and  vulnerabilities,  and  propose  a  strate¬ 
gic  framework  to  assure  U.S.  military  superiority  in 
cyberspace.  The  NMS-CO  appeared  to  significantly 
influence  the  2011  DoD  Strategy  for  Operating  in  Cyber¬ 
space,  where  the  main  themes  reappeared. 
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The  NMS-CO  identified  six  enabling  ways  to  main¬ 
tain  superiority  in  cyberspace,  including  these  three: 

1.  Investment  in  science  and  technology; 

2.  Partnerships  with  industry,  government  agen¬ 
cies,  and  other  nations;  and, 

3.  Investment  in  a  trained  workforce. 

It  also  named  four  strategic  priorities: 

1.  Gain  and  maintain  initiative  to  operate  within 
adversarial  decision  cycles; 

2.  Integrate  cyberspace  capabilities  across  the 
range  of  military  operations; 

3.  Build  capacity  for  cyberspace  operations;  and, 

4.  Manage  risk  for  operations  in  cyberspace. 

Each  strategic  priority  was  accompanied  by  sev¬ 
eral  specific  initiatives. 

In  August  2007,  President  Bush  established  the 
Commission  on  Cybersecurity  for  the  44th  Presidency 
to  examine  the  national  cyber  security  strategy  for 
areas  for  improvement.  At  its  conclusion,  the  com¬ 
mission  stated  that  cyberspace  was  an  urgent  national 
security  problem  and  recommended  25  actions.9 

In  the  meantime.  President  Bush  enacted  the  Com¬ 
prehensive  National  Cybersecurity  Initiative  (CNCI) 
aimed  at  improving  the  capabilities  of  the  Department 
of  Homeland  Security  (DHS)  and  other  government 
agencies  to  protect  against  existing  and  future  intru¬ 
sions.10  The  CNCI  was  a  number  of  interrelated  ini¬ 
tiatives  with  three  major  goals  aimed  at  improving 
cyber  security: 

1.  To  establish  a  "front  line  of  defense"  against 
existing  threats  through  shared  situational  aware¬ 
ness  and  prevent  future  intrusions  by  reducing 
vulnerabilities; 
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2.  To  defend  against  the  full  spectrum  of  threats 
through  better  counterintelligence  and  better  security 
of  the  supply  chain  for  key  information  technologies; 

3.  To  expand  cyber  education;  coordinate  R&D 
across  the  federal  government;  and  develop  strategies 
to  deter  malicious  activities. 

In  the  CNCI,  some  common  themes  from  earlier 
publications  reappear:  reduction  of  vulnerabilities, 
coordination  among  government  agencies,  public-pri¬ 
vate  partnering,  security  of  the  supply  chain,  work¬ 
force  training,  and  focused  R&D.  These  themes  will 
be  repeated  in  the  later  DoD  Strategy  for  Operating 
in  Cyberspace,  but  a  couple  of  concepts  in  the  CNCI, 
namely  deterrence  and  counterintelligence,  were  not 
repeated  explicitly.  Instead,  the  DoD  Strategy  address¬ 
es  deterrence  and  counterintelligence  more  subtly.  It 
hints  at  counterintelligence  in  describing  the  estab¬ 
lishment  of  U.S.  Cyber  Command  (USCYBERCOM), 
co-located  with  the  National  Security  Agency  (NS A) 
under  the  same  director.  The  notion  of  deterrence 
is  also  addressed  subtly  in  the  description  of  collec¬ 
tive  security  created  by  international  cooperation; 
presumably,  the  strength  of  numbers  will  help  deter 
future  attacks. 

In  May  2009,  President  Barack  Obama  announced 
the  results  of  a  broad  review  of  the  national  cyber 
security  strategy,  including  CNCI.  The  review  recom¬ 
mended  that  a  new  cyber  security  coordinator  update 
the  national  strategy.  The  U.S.  Government  Account¬ 
ability  Office  (GAO)  also  noted,  among  other  rec¬ 
ommendations,  the  need  for  a  national  strategy  that 
clearly  articulated  strategic  objectives,  goals,  and  pri¬ 
orities.11  In  the  same  year,  DHS  updated  its  National 
Infrastructure  Protection  Plan,  which  is  a  framework  for 
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addressing  threats  to  critical  infrastructures  relying 
on  public-private  partnerships.12 

In  May  2011,  the  White  House  released  the  Inter¬ 
national  Strategy  for  Cyberspace,  aiming  to  promote  a 
global  cyberspace  environment  that  is  "open,  interop¬ 
erable,  secure,  and  reliable"  based  on  "norms  of 
responsible  behavior."13  The  document  is  divided  into 
three  approaches  for  the  future  —  diplomacy,  defense, 
and  development  —  and  is  supported  by  seven  policy 
priorities.  The  strategy  emphasized  the  need  for  inter¬ 
national  cooperation  and  public-private  partnerships, 
noting  that  "no  single  institution,  document,  arrange¬ 
ment,  or  instrument  could  suffice  in  addressing  the 
needs  of  our  networked  world."14 

Whereas  the  International  Strategy  for  Cyberspace  is 
diplomatic,  highlighting  the  international  and  coop¬ 
erative  aspects  of  a  secure  cyberspace,  the  DoD  Strat¬ 
egy  for  Operating  in  Cyberspace  may  be  considered  a 
complementary  strategy  in  some  ways.  While  interna¬ 
tional  cooperation  is  an  important  part  of  the  strategy, 
the  strategy  is  primarily  interested  in  actions  to  ensure 
military  superiority  and  protection  of  American  assets. 

DoD  Strategy  for  Operating  in  Cyberspace. 

In  July  2011,  Deputy  Secretary  of  Defense  Lynn 
announced  the  publication  of  a  13-page  unclassified 
DoD  Strategy  for  Operating  in  Cyberspace  (the  contents 
of  a  longer  classified  version  has  not  been  published).15 
The  official  document  was  preceded  by  a  September 
2010  article  by  Secretary  Lynn.  The  conclusion  in  the 
article  is  an  accurate  summary  of  the  DoD  Strategy: 

These  risks  [in  cyberspace]  are  what  is  driving  the 

Pentagon  to  forge  a  new  strategy  for  cyber  security. 
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The  principal  elements  of  that  strategy  are  to  develop 
an  organizational  construct  for  training,  equipping, 
and  commanding  cyberdefense  forces;  to  employ 
layered  protections  with  a  strong  core  of  active 
defenses;  to  use  military  capabilities  to  support  other 
departments'  efforts  to  secure  the  networks  that  run 
the  United  States'  critical  infrastructure;  to  build  col¬ 
lective  defenses  with  U.S.  allies;  and  to  invest  in  the 
rapid  development  of  additional  cyberdefense  capa¬ 
bilities.  The  goal  of  this  strategy  is  to  make  cyberspace 
safe  so  that  its  revolutionary  innovations  can  enhance 
both  the  United  States'  national  security  and  its 
economic  security.16 

The  DoD  Strategy  for  Operating  in  Cyberspace 
outlines  five  strategic  initiatives  to  address  cyber  secu¬ 
rity,  which  can  be  summarized  as  follows: 

1.  Treat  cyberspace  as  an  operational  domain 
(equivalent  to  air,  land,  maritime,  and  space); 

2.  Employ  new  defense  operating  concepts  to  pro¬ 
tect  DoD  networks; 

3.  Partner  with  other  U.S.  Government  agencies 
and  the  private  sector; 

4.  Build  relationships  with  international  partners 
to  strengthen  collective  security;  and, 

5.  Invest  in  cyber  workforce  training  and  R&D  for 
rapid  technological  innovation. 

The  accompanying  news  release  described  the 
strategy  as  "a  new  way  forward  for  DoD's  military, 
intelligence,  and  business  operations."17  Clearly,  the 
DoD  Strategy  is  significant  as  an  official  recognition 
of  the  strategic  importance  of  cyberspace  to  national 
security.  However,  while  the  strategy  is  consistent 
with  Secretary  Lynn's  article,  the  document  is  brief 
and  unspecific.  It  repeats  several  themes  from  earli- 
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er  government  publications  but  surprisingly  omits  a 
few  important  ones.  In  the  remainder  of  this  article, 
each  strategic  initiative  in  the  DoD  Strategy  will  be 
examined  in  depth  for  clarity,  comprehensiveness, 
and  novelty.  The  implications  and  practicality  of  each 
initiative  will  be  discussed.  In  the  final  section,  some 
critical  observations  of  the  DoD  Strategy  will  be  made. 

STRATEGIC  INITIATIVE  1:  DoD  will  treat  cyber¬ 
space  as  an  operational  domain  to  organize,  train, 
and  equip  so  that  DoD  can  take  full  advantage  of 
cyberspace's  potential. 

This  strategy  initiative  is  an  official  declaration 
that  cyberspace  will  be  treated  as  the  fifth  operational 
domain  in  addition  to  air,  land,  sea,  and  space.  Essen¬ 
tially,  DoD  recognizes  that  military  operations  need  to 
extend  into  man-made  cyberspace  because  cyberspace 
has  become  integral  to  military  operations  in  the  other 
domains.  In  modern  warfare,  all  domains  are  intercon¬ 
nected  via  cyberspace  operations,  and  cyber  attacks 
are  expected  to  become  a  common  part  of  future  con¬ 
flicts.  It  naturally  follows  that  DoD  should  build  up 
capabilities  to  carry  out  actions  in  cyberspace.  The 
strategy  states  "DoD  will  organize,  train,  and  equip 
for  the  complex  challenges  and  vast  opportunities  of 
cyberspace."18 

Substantial  changes  have  been  made  in  organi¬ 
zation.  DoD  has  established  the  USCYBERCOM  as 
a  sub-unified  command  of  U.S.  Strategic  Command 
(USSTRATCOM)  under  the  Secretary  of  Defense. 
USCYBERCOM  is  responsible  for  coordinating  the 
relevant  military  branches,  including  U.S.  Army 
Cyber  Command,  U.S.  Fleet  Cyber  Command/ U.S. 
10th  Fleet,  the  24th  Air  Force,  U.S.  Marine  Corps  Forc- 
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es  Cyber  Command,  and  U.S.  Coast  Guard  Cyber 
Command.  It  is  deliberately  co-located  with  the  NSA 
under  the  same  director.  This  organization  is  intend¬ 
ed  to  maximize  resources  and  efficiency,  and  directly 
link  cyber  operations  with  intelligence. 

The  DoD  Strategy  expresses  concern  that  degraded 
cyberspace  operations  may  interfere  with  the  success 
of  missions.  To  learn  to  operate  in  a  possibly  hostile 
cyberspace  environment,  cyber  red  teams  will  conduct 
war  games,  e.g.,  Cyber  Storm.19  In  addition,  defensive 
capabilities  will  be  strengthened  by  investment  in 
more  resilient  and  secure  computer  networks. 

Significance  and  Novelty. 

In  summary,  this  strategy  initiative  makes  three 
points:  DoD  must  be  able  to  operate  equally  in  cyber¬ 
space  as  in  other  domains;  missions  must  succeed 
despite  adversity  in  cyberspace;  and  cyberspace 
must  be  strengthened  against  threats.  This  initia¬ 
tive  is  a  message  to  other  government  agencies,  as 
well  as  to  foreign  countries,  about  the  seriousness  of 
cyber  operations  (and  possibly  military  responses  to 
cyber  attacks). 

As  a  formal  statement  that  cyberspace  will  be  an 
integral  part  of  future  warfare,  this  is  not  surpris¬ 
ing.  It  recognizes  the  reality  that  most  people  have 
already  accepted.  The  importance  of  military  opera¬ 
tions  in  cyberspace  has  become  increasingly  clear  in 
recent  years.  In  2004,  the  Joint  Chiefs  of  Staff  issued 
the  National  Military  Strategy  of  the  United  States  of 
America.20  It  implied  cyberspace  was  an  operational 
domain  by  saying  the  military  "must  have  the  ability 
to  operate  across  the  air,  land,  sea,  space,  and  cyber¬ 
space  domains  of  the  battlespace."  In  November  2006, 
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Secretary  of  the  Air  Force  Michael  W.  Wynne  deliv¬ 
ered  an  address  describing  cyberspace  as  a  warfight¬ 
ing  domain  equal  to  air  and  space:  "(defend)  the  Unit¬ 
ed  States  of  America  and  its  global  interests  — to  fly 
and  fight  in  air,  space  and  cyberspace."21  In  this  view, 
cyberspace  superiority  is  simply  an  extension  of  air 
and  space  supremacy. 

Since  cyber  operations  are  widely  expected  to 
become  a  critical  part  of  military  conflicts,  it  is  logi¬ 
cal  for  DoD  to  strive  for  freedom  to  act  in  cyberspace 
beyond  civilian  limitations.  However,  this  "milita¬ 
rization  of  cyberspace"  raises  a  few  issues  that  are 
not  addressed  specifically  in  the  DoD  Strategy.  First, 
what  are  the  boundaries  of  cyberspace  considered  to 
be  within  military  jurisdiction?  Most  critical  network 
infrastructures  are  owned  and  operated  by  the  private 
sector.  Second,  how  will  cyber  attacks  warranting  a 
military  response  differentiate  from  other  malicious 
acts  such  as  cybercrime?  For  instance,  spear  phishing 
(social  engineering)  to  install  malware  may  be  a  tactic 
used  in  both  cybercrime  and  military  cyber  espionage. 
Third,  could  cyber  attacks  escalate  unnecessarily  into 
physical  warfare?  It  seems  possible  that  DoD  might 
classify  a  major  cyber  attack  against  critical  infrastruc¬ 
ture  as  an  act  of  war  that  could  trigger  a  conventional 
military  response.  A  Pentagon  official  stated,  "If  you 
shut  down  our  power  grid,  maybe  we  will  put  a  mis¬ 
sile  down  one  of  your  smokestacks."22  Clearly,  rules 
need  to  be  developed  to  guide  appropriate  responses 
to  cyber  attacks.  So  far,  the  United  States  has  chosen 
not  to  impose  any  self-restrictions.  Deputy  Defense 
Secretary  Lynn  stated: 
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The  United  States  reserves  the  right,  under  the  laws 
of  armed  conflict,  to  respond  to  serious  cyber  attacks 
with  a  proportional  and  justified  military  response  at 
the  time  and  place  of  its  choosing.23 

Practicality. 

In  terms  of  organization,  the  GAO  has  found  that 
progress  has  been  made,  notably  the  establishment 
of  the  USCYBERCOM  and  supporting  organizations 
in  June  2009,  but  more  work  is  needed.24  It  observed 
that  the  DoD's  organization  to  address  cyber  security 
is  vast  and  decentralized,  with  responsibilities  spread 
across  various  offices.  The  recent  organizational 
changes  are  believed  to  be  steps  in  the  right  direction, 
since  the  command  will  theoretically  provide  a  "sin¬ 
gle  point  of  accountability"  but  "it  is  too  early  to  tell 
if  these  ongoing  organizational  changes  will  improve 
DoD's  overall  cyber  efforts"  to  counter  threats.25 

The  GAO  also  observed  a  lack  of  clarity  about  the 
role  of  civilians  in  conducting  cyber  war  operations 
and  the  "mission  requirements  and  capabilities  to 
organize,  train,  and  equip  a  cyber  force."26  Another 
concern  was  a  lack  of  direction  from  USCYBERCOM 
about  the  command  and  control  relationships  between 
the  command  and  regional  military  commanders. 

In  terms  of  investment  in  more  resilient  and  secure 
computer  networks,  the  DoD  Strategy  is  not  specific 
about  how  investment  will  be  carried  out.  Research¬ 
ers  in  resilient  networks  have  investigated  advanced 
technologies  such  as  self-healing  and  intrusion  toler¬ 
ance  for  many  years.  Resilience  was  one  of  the  origi¬ 
nal  main  design  goals  for  the  Internet.27  Self-healing 
is  a  more  advanced  capability  that  enables  networks 
to  automatically  detect  faults  and  reroute  connections 
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around  them  with  minimal  interruption.28  Likewise, 
intrusion  tolerance  is  an  advanced  technology  that 
aims  to  keep  critical  systems  functioning  properly 
even  in  the  face  of  successful  intrusions.29 

These  advanced  technologies  underlying  resilient 
and  robust  computer  networks  are  fairly  well  under¬ 
stood,  though  not  perfect,  particularly  for  large-scale 
complex  networks.  Considering  that  DoD  operates 
15,000  networks  involving  more  than  seven  mil¬ 
lion  devices,  it  would  be  enormously  challenging  to 
implement  successfully  advanced  technologies  such 
as  self-healing  and  intrusion  tolerance  on  that  scale. 
Implementation  would  require  thorough  changes 
in  equipment,  software,  and  protocols.  The  cost  for 
implementation  is  unknown,  and  the  required  funds 
are  not  guaranteed  in  the  budget.  DoD  has  requested 
$37  billion  for  information  technology  in  Fiscal  Year 
(FY)  2013,  but  it  encompasses  a  range  of  IT  invest¬ 
ments.30  The  budget  includes  $3.4  billion  for  cyber 
security  efforts  to  protect  information,  information 
systems,  and  networks. 

STRATEGIC  INITIATIVE  2:  DoD  will  employ  new 
defense  operating  concepts  to  protect  DoD  net¬ 
works  and  systems. 

Although  the  strategic  initiative  is  obviously  broad 
and  vague,  the  DoD  Strategy  identifies  four  specific 
actions: 

1.  Implement  cyber  hygiene  best  practices; 

2.  Address  insider  threats  by  strengthening  work¬ 
force  communications,  workforce  accountability,  and 
internal  monitoring; 

3.  Implement  active  cyber  defenses  against  exter¬ 
nal  threats;  and. 
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4.  Develop  new  defense  operating  concepts 
and  computing  architectures  such  as  secure  cloud 
computing. 

The  initiative  presumes  that  good  hygiene  (e.g., 
updating  and  patching  software,  running  antivi¬ 
rus  software,  avoiding  untrusted  email  attachments 
and  untrusted  websites)  can  prevent  most  malicious 
acts.  While  certainly  helpful,  safe  practices  will  not 
protect  users  against  advanced  attacks  that  often 
make  use  of  sophisticated  social  engineering  and 
zero-day  exploits. 

It  is  notoriously  difficult  to  defend  against  insider 
threats.  The  strategy  will  depend  on: 

communication,  personnel  training,  and  new  tech¬ 
nologies  and  processes  .  .  .  new  policies,  new  meth¬ 
ods  of  personnel  training,  and  innovative  workforce 
communications.31 

The  DoD  Strategy  makes  a  point  to  contrast  "active" 
defense  with  traditional  "passive"  defense.  By  active 
defense,  the  DoD  Strategy  means  that  the  network  will 
be  monitored  in  real  time  to  "discover,  detect,  analyze, 
and  mitigate  threats  and  vulnerabilities,"32  or,  in  other 
words,  real-time  intrusion  detection  and  prevention. 
This  capability  aims  to  "stop  malicious  activity  before 
it  can  affect  DoD  networks  and  systems."33 

Significance  and  Novelty. 

Generally,  this  strategic  initiative  has  good  ideas 
consistent  with  common  sense,  but  the  ideas  are  con¬ 
ventional  and  unoriginal.  For  example,  cyber  security 
best  practices  are  a  good  idea,  but  best  practices  alone 
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will  not  prevent  intrusions,  and  the  strategic  initiative 
does  not  offer  additional  ideas  beyond  best  practices. 
Also,  insider  threats  can  be  ameliorated  by  address¬ 
ing  the  human  element  in  the  workplace,  but  it  is 
not  clear  how  effectively  the  stated  actions  can  deter 
insider  attacks. 

Perhaps  the  most  interesting  statement  is  emphasis 
on  active  defenses  that  detect  and  prevent  intrusions 
in  real  time.  This  statement  could  be  interpreted  as  an 
implicit  message  aimed  at  foreign  adversaries,  say¬ 
ing  that  real-time  retaliation  is  possible.  This  message 
might  help  deter  future  attacks;  the  notion  of  deter¬ 
rence  is  elaborated  in  more  detail  later. 

Much  of  this  strategic  initiative  is  too  broad  and 
vague  to  criticize.  For  example,  the  meaning  of  state¬ 
ments  like  "DoD  will  explore  new  and  innovative 
approaches  and  paradigms  for  both  existing  and 
emerging  challenges"34  is  impossible  to  evaluate 
because  it  depends  on  unknowns  in  the  future. 

Practicality. 

The  most  challenging  action  in  this  strategic  ini¬ 
tiative  is  active  defense.  Research  in  intrusion  detec¬ 
tion  has  been  conducted  for  decades,  and  real-time 
detection  is  still  an  open  question  due  to  the  continual 
inventiveness  of  resourceful  adversaries.  The  stra¬ 
tegic  initiative  does  not  explain  how  active  defenses 
will  be  carried  out  or  who  will  provide  the  technolo¬ 
gy.  In  general,  intrusion  detection  can  be  performed 
by  misuse  detection  (signature-based)  or  anomaly 
detection  (behavior-based).35  Misuse  detection  works 
for  known  attacks  but  may  miss  new  attacks  without 
an  existing  signature.  On  the  other  hand,  anomaly 
detection  may  be  able  to  detect  unknown  new  attacks 
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that  deviate  statistically  from  "normal"  behaviors, 
but  this  approach  continues  to  be  very  difficult  to 
perfect  in  practice.  Existing  intrusion  detection  sys¬ 
tems  can  monitor  computer  networks  in  real  time, 
but  the  accuracy  of  detection  (and  hence  prevention) 
remains  uncertain. 

It  is  not  clear  how  new  computing  architectures 
such  as  cloud  computing  can  improve  DoD  security. 
Cloud  computing  offers  organizations  benefits  like 
lower  start-up  costs  and  capital  expenditures,  servic¬ 
es  on  a  pay-as-you-use  basis,  and  flexibility  to  quick¬ 
ly  reduce  or  increase  capacities.  However,  cloud  com¬ 
puting  introduces  new  security  risks  related  to  data 
ownership,  privacy,  data  mobility,  quality  of  service, 
bandwidth,  and  data  protection.36 

STRATEGIC  INITIATIVE  3:  DoD  will  partner  with 
other  U.S.  government  departments  and  agencies 
and  the  private  sector  to  enable  a  whole-of-govern- 
ment  cyber  security  strategy. 

This  strategic  initiative  recognizes  that: 

DoD's  critical  functions  and  operations  rely  on  com¬ 
mercial  assets,  including  Internet  Service  Providers 
(ISPs)  and  global  supply  chains,  over  which  DoD  has 
no  direct  authority  to  mitigate  risk  effectively.37 

Therefore,  a  broad  level  of  cooperation  with  other 
government  departments  and  private  companies  is 
clearly  necessary. 

Among  other  government  departments,  the  strate¬ 
gic  initiative  emphasizes  DHS  in  particular.  A  notable 
example  of  cooperation  was  a  2010  memorandum  of 
agreement  with  DHS  to  coordinate  efforts  to  protect 
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critical  infrastructures  and  computer  networks.38  The 
agreement  called  for  DoD  and  DHS  cyber  analysts  to 
jointly  support  the  National  Cybersecurity  and  Com¬ 
munications  Integration  Center  (NCCIC).  The  agree¬ 
ment  also  provides  a  full-time  senior  DHS  leader  and 
support  personnel  to  NS  A  to  "ensure  both  agencies' 
priorities  and  requests  for  support  are  clearly  commu¬ 
nicated  and  met."39 

The  strategic  initiative  also  calls  for  public-private 
partnerships  because  the  global  technology  supply 
chain  affects  mission  critical  aspects  of  the  DoD  enter¬ 
prise,  along  with  core  U.S.  Government  and  private 
sector  functions.40 

The  partnerships  will  aim  to  "share  ideas,  develop 
new  capabilities,  and  support  collective  efforts."41  The 
public  and  private  sectors  will  not  automatically  work 
together  because  of  different  interests.  In  recognition 
of  this  difficulty,  the  strategy  describes  an  existing 
public-private  partnership  with  the  Defense  Indus¬ 
trial  Base  (DIB)  to  increase  the  protection  of  sensitive 
information.  DIB  networks  are  protected  under  the 
Defense  Industrial  Base  Cyber  Security  and  Informa¬ 
tion  Assurance  program.  The  strategy  wants  addi¬ 
tional  pilot  programs,  business  models,  and  policy 
frameworks  to  foster  public-private  synergy.  Public- 
private  partnerships  will  require  a  balance  between 
regulation  and  volunteerism  .  .  .  incentives  or  other 
measures  will  be  necessary  to  promote  private  sector 
participation.42 
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Significance  and  Novelty. 

The  current  division  of  government  responsibili¬ 
ties  for  protecting  cyberspace  is  less  than  ideal.  Broad¬ 
ly  speaking,  the  DoD  is  responsible  for  defending  the 
military  networks  (nominally  against  cyber  warfare), 
while  DHS  is  responsible  for  defending  civilian  gov¬ 
ernment  networks  (against  cybercrime).  DHS  also 
helps  critical  infrastructure  owners  with  cyber  securi¬ 
ty.  At  the  same  time,  the  arguably  best  defense  capa¬ 
bilities  reside  in  the  DoD.  It  is  not  clear  which  gov¬ 
ernment  agency  has  the  lead  for  cyber  security,  which 
would  respond  to  a  given  cyber  attack,  and  how  DoD 
could  help  in  the  defense  of  civilian  networks.  Ideally, 
government  agencies  would  work  together  seamless¬ 
ly,  but  the  2009  Cyberspace  Policy  Review  noted  a  lack 
of  coherent  policy  guidance  clarifying  "authorities, 
roles,  and  responsibilities  for  cyber  security-related 
activities  across  the  Federal  government"  due  to  an 
incoherent  "patchwork  of  Constitutional,  domestic, 
foreign,  and  international  laws."43 

Public-private  cooperation  has  been  a  recurrent 
theme  in  government  publications  on  cyber  security. 
The  need  for  public-private  partnerships  was  recog¬ 
nized  in  the  2003  National  Strategy  to  Secure  Cyberspace, 
which  viewed  public-private  partnerships  as  useful 
for  cyber  incident  response  and  security  information 
sharing.  It  was  repeated  in  the  2006  National  Military 
Strategy  for  Cyberspace  Operations  and  the  DHS  2009 
National  Infrastructure  Protection  Plan.  Considering 
that  the  private  sector  owns  most  critical  infrastruc¬ 
tures,  the  need  for  effective  public-private  partner¬ 
ships  is  obvious.  The  question  for  the  DoD  Strategy  is 
how  to  facilitate  and  incentivize  cooperation.  The  DoD 
Strategy  appears  to  recognize  this  challenge  but  does 
not  offer  specific  plans. 
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Practicality. 

Significant  progress  has  been  made  in  increasing 
cooperation  between  agencies.  A  few  agencies  — Air 
Force,  DHS,  NSA,  and  Federal  Bureau  of  Investiga¬ 
tion  (FBI)  — have  claimed  authority  in  cyberspace. 
The  24th  Air  Force  is  now  the  Service's  component  of 
the  USCYBERCOM.  As  mentioned  earlier,  DHS  and 
DoD  have  signed  a  memorandum  of  agreement.  NSA 
is  closely  linked  to  USCYBERCOM  under  the  same 
director.  The  FBI  investigates  cyber  intrusions  at  U.S. 
companies  but  suffers  from  a  shortage  of  necessary 
skills  and  support.44 

The  DHS-DoD  memorandum  of  agreement  is  a 
good  example  of  the  DoD  Strategy's  whole-of-govern- 
ment  approach.  Whereas  DoD  is  normally  limited  to 
defending  military  computer  networks,  the  memoran¬ 
dum  of  agreement  allows  DoD's  cyber  warfare  exper¬ 
tise  to  be  leveraged  to  help  DHS  protect  domestic 
networks  and  critical  infrastructure.  To  fully  realize 
the  strategy's  whole-of-government  approach,  more 
similar  agreements  will  be  needed  that  spell  out  how 
agencies  can  cooperate  while  clearly  maintaining  their 
separate  missions.45 

The  DoD  Strategy  is  vague  about  specific  means 
of  public-private  cooperation,  but  an  obvious  exam¬ 
ple  is  information  sharing  about  vulnerabilities  and 
threats.  The  DoD  Strategy  points  out  an  example  of 
the  DIB  pilot.  It  involves  DoD,  DHS,  and  20  compa¬ 
nies,  including  ISPs  and  defense  contractors.  Threat 
signature  information  is  shared  by  USCYBERCOM 
and  NSA  with  the  participating  companies.  In  addi¬ 
tion,  there  are  various  pending  legislations  to  increase 
information  sharing  between  private  companies  and 
the  government. 
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An  amended  version  of  the  Cyber  Intelligence 
Sharing  and  Protection  Act  (CISPA)  bill  passed  the 
House  of  Representatives  in  April  2012.  It  contains 
provisions  for  private  companies  to  "use  cyber  secu¬ 
rity  systems  to  identify  and  obtain  cyber  threat  infor¬ 
mation,"  share  this  information  with  the  government, 
and  be  protected  from  lawsuits  for  these  actions.46  Civ¬ 
il  liberty  groups  have  expressed  concerns  that  vague 
wording  in  the  bill  might  allow  companies  to  collect 
unlimited  private  information  about  Internet  users 
under  the  pretext  of  suspicious  activities. 

The  Strengthening  and  Enhancing  Cybersecurity 
by  Using  Research,  Education,  Information,  and  Tech¬ 
nology  Act  of  2012  (the  SECURE  IT  Act)  was  intro¬ 
duced  into  the  Senate  in  March  2012.  Similar  to  CISPA, 
the  SECURE  IT  Act  is  aimed  at  facilitating  information 
sharing  in  regard  to  cyber  threats.  The  SECURE  IT  Act 
has  likewise  been  criticized  for  insufficient  protection 
of  existing  privacy  rights. 

A  revised  version  of  the  Cybersecurity  Act  of  2012 
(CSA)  failed  to  pass  the  Senate  in  August  2012.  Title 
I  called  for  a  public-private  consortium  to  develop  a 
set  of  voluntary  cyber  security  practices  for  protecting 
critical  national  infrastructure.  However,  existing  gov¬ 
ernmental  regulators  with  authority  over  any  critical 
national  infrastructure  could  require  regulated  com¬ 
panies  to  comply  with  the  "voluntary"  cyber  security 
practices.  Businesses  have  expressed  concerns  about 
the  potential  costs  for  compliance.  Title  VII  was  simi¬ 
lar  in  intention  to  the  CISPA  and  SECURE  IT  Act  bills 
to  encourage  network  monitoring  and  information 
sharing  by  private  companies,  with  legal  protection 
provided  to  companies.  Cyber  threat  information 
could  be  shared  with  law  enforcement  through  civil¬ 
ian  "cyber  security  exchanges"  only  where  the  infor- 
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mation  pertains  to  a  cybercrime,  imminent  threat 
of  bodily  harm  or  serious  injury,  or  serious  threat 
to  minors.  DHS  would  develop  privacy  policies  for 
how  shared  information  would  be  used  by  the  gov¬ 
ernment.  After  the  failure  of  CSA  to  pass  the  Senate, 
some  senators  pressured  the  White  House  to  issue  an 
executive  order  for  voluntary  cyber  security  guide¬ 
lines  for  owners  of  power,  water,  and  other  critical 
infrastructure  facilities. 

Public-private  cooperation  is  not  easy  due  to  con¬ 
flicting  interests.  The  GAO  has  noted  efforts  to  devel¬ 
op  new  information  sharing  arrangements  between 
the  private  sector  and  the  government.47  However, 
"expectations  of  private  sector  stakeholders  are  not 
being  met  by  their  federal  partners  in  areas  related  to 
sharing  information  about  cyber-based  threats."48  His¬ 
torically,  industry  has  tended  to  resist  new  regulations 
for  reasons  of  cost.  In  regard  to  cyber  security  practic¬ 
es,  companies  have  argued  that  they  know  their  net¬ 
works  better  and  can  adapt  faster  to  new  threats  than 
government  regulators.  Consequently,  the  govern¬ 
ment  is  currently  focused  on  voluntary  actions,  but  it 
recognizes  that  incentives  will  be  necessary.  For  com¬ 
panies,  information  sharing  is  a  complicated  econom¬ 
ic  question  with  advantages  balanced  by  drawbacks.49 

STRATEGIC  INITIATIVE  4:  DoD  will  build  robust 
relationships  with  U.S.  allies  and  international 
partners  to  strengthen  collective  cyber  security. 

This  strategic  initiative  is  aimed  primarily  at  other 
nations  to  foster  cooperation  for  "collective  self-de¬ 
fense  and  collective  deterrence"  through  timely 
sharing  of  information  about  "cyber  events,  threat 
signatures  of  malicious  code,  and  information  about 
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emerging  actors  and  threats."50  Other  shared  activities 
include  capacity  building,  training,  dialogue  about 
best  practices,  and  pursuit  of  "international  cyber¬ 
space  norms  and  principles  that  promote  openness, 
interoperability,  security,  and  reliability."51 

Significance  and  Novelty. 

This  strategic  initiative  emphasizes  the  advantages 
of  collective  self-defense  to  appeal  not  only  to  close 
allies  but  also  to  "a  wider  pool  of  allied  and  partner 
militaries"  and  "like-minded  states."52  The  advan¬ 
tages  of  international  cooperation  for  cyber  securi¬ 
ty  are  obvious,  and  the  notion  has  been  repeated  in 
government  publications  leading  back  to  at  least  the 
2003  National  Strategy  to  Secure  Cyberspace.  The  notion 
of  collective  self-defense  in  warfare  (not  just  in  cyber¬ 
space)  goes  even  further  back  to  the  North  Atlantic 
Treaty  Organization  (NATO)  established  in  1949. 

Interestingly,  the  Article  5  "mutual  defense"  clause 
of  NATO  has  already  been  tested  by  cyber  attacks.  In 
April  2007,  the  Estonian  government  had  decided  to 
move  the  Bronze  Soldier  of  Tallinn,  triggering  Russian 
protests.  Multiple  waves  of  distributed  denial  of  ser¬ 
vice  (DDoS)  attacks  hit  the  websites  of  the  Estonian 
parliament,  banks,  ministries,  newspapers, and  media. 
The  Estonian  Foreign  Minister  promptly  accused 
the  Kremlin  of  responsibility,  raising  the  question  of 
whether  NATO  member  countries  would  respond  col¬ 
lectively  to  the  DDoS  attacks.  Experts  sent  to  Estonia 
concluded  that  the  DDoS  attacks  were  not  sufficiently 
serious  for  Article  5  but  highlighted  the  need  for  clear 
legal  definitions  on  cyber  attacks  that  would  qualify 
for  Article  5  mutual  defense. 
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It  is  not  clear  that  the  NATO  model  of  collective 
self-defense,  reflecting  a  simplistic  "us  versus  them" 
mindset  reminiscent  of  the  Cold  War,  is  appropriate 
for  a  more  complicated  modern  world.  Today,  major 
nations  cooperate  on  many  levels  while  still  competing 
in  cyberspace.  For  example,  China  is  heavily  invested 
in  U.S.  assets,  and  the  Chinese  economy  depends  crit¬ 
ically  on  trade  with  the  United  States.  However,  at  the 
same  time,  China  is  reportedly  fully  engaged  in  cyber 
espionage  activities.53 

In  addition  to  collective  self-defense,  the  strategic 
initiative  states  that  international  cooperation  raises 
the  question  of  deterrence.  By  conventional  wisdom, 
strength  in  numbers  could  be  an  effective  deterrent  to 
future  cyber  attacks.  The  notion  of  deterrence  has  not 
been  a  major  theme  in  previous  government  publica¬ 
tions,  except  the  2010  Comprehensive  National  Cyberse¬ 
curity  Initiative  mentioned  deterrence  as  part  of  one  of 
its  major  goals.  However,  it  is  questionable  whether 
deterrence  is  possible  in  cyber  warfare  in  the  same 
way  that  nuclear  deterrence  worked  by  fear  of  "mutu¬ 
ally  assured  destruction."54 

Practicality. 

This  strategic  initiative  raises  two  questions  of 
practicality:  can  the  United  States  forge  treaties  for 
effective  international  cooperation,  and  can  collective 
deterrence  work  in  cyber  security?  New  internation¬ 
al  treaties  to  cooperate  in  cyberspace  would  have  to 
overcome  considerable  obstacles:  (1)  competing  inter¬ 
ests,  (2)  different  attitudes  toward  cyber  warfare,  (3) 
different  definitions  of  malicious  cyber  acts  (e.g.,  start¬ 
ing  with  "cyber  warfare"),  and  (4)  difficult  enforcea¬ 
bility  (e.g.,  of  terms  limiting  proliferation  of  cyber 
weapons). 
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The  Council  of  Europe  Convention  on  Cyber¬ 
crime  might  give  hope  for  international  cooperation 
on  cyber  warfare.  Ratified  in  July  2004,  it  is  the  only 
binding  international  treaty  on  cybercrime.55  Though 
it  remains  mostly  limited  to  Europe,  it  is  open  to 
non-European  states  and  has  been  signed  by  the  Unit¬ 
ed  States.  It  provides  guidelines  for  all  governments 
wishing  to  develop  legislation  against  cybercrime.  It 
also  provides  a  framework  for  international  cooper¬ 
ation.  However,  while  all  nations  have  an  interest  in 
controlling  cybercrime,  different  nations  have  com¬ 
peting  interests  in  cyber  warfare. 

In  1998,  Russia  proposed  a  treaty  banning  cyber 
attacks  for  military  purposes,  but  the  United  States  has 
been  reluctant  to  consider  any  limitations  on  its  free¬ 
dom  to  act  in  cyberspace.  In  July  2010,  the  United  States 
shifted  its  position  to  join  a  group  of  other  nations, 
including  China  and  Russia,  on  United  Nations  (UN) 
recommendations  to  create  norms  of  accepted  behav¬ 
ior  in  cyberspace,  exchange  information  on  national 
cyber  security  strategies,  and  strengthen  cyber  secu¬ 
rity  in  less  developed  countries. 

In  September  2011,  Russia  and  several  allies, 
including  China,  proposed  the  International  Code 
of  Conduct  for  Information  Security  to  the  UN  to 
standardize  a  code  of  responsible  behavior  in  cyber¬ 
space.  The  United  States  opposed  the  proposal  on 
the  grounds  that  it  sought  to  shift  governance  of  the 
Internet  (which  is  currently  done  by  various  U.S.- 
based  nongovernmental  international  organizations) 
to  authoritarian  regimes  that  might  attempt  to  curb 
the  open  culture  of  the  Internet.  Russia  is  continuing 
efforts  for  a  global  treaty  on  cyber  security  but,  so  far, 
the  proposals  appear  unlikely  to  be  successful  due  to 
opposition  from  Western  countries.  There  is  no  reason 
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for  the  United  States  to  enter  agreements  that  hinder 
its  freedom  to  act  in  cyberspace. 

Whereas  a  global  treaty  on  behaviour  norms 
appears  to  be  unlikely,  strategic  treaties  with  allies  and 
"like-minded  states"  are  more  feasible  and  advanta¬ 
geous,  following  a  NATO  model,  for  instance.  Benefits, 
including  shared  threat  intelligence  and  early  attack 
warning,  are  easy  to  imagine.  On  the  other  hand,  the 
DoD  Strategy  mentions  the  benefit  of  "collective  deter¬ 
rence,"  which  is  more  questionable.  Presumably,  it 
refers  to  the  notion  that  adversaries  would  refrain 
from  attacking  due  to  the  "strength  in  numbers"  of 
a  U.S.  alliance.  Following  the  logic  of  nuclear  deter¬ 
rence,  an  adversary  should  believe  that  a  U.S.  alliance 
possesses  the  capability  for  retaliation  and  destruction 
on  a  scale  that  the  adversary  cannot  accept.56 

Unfortunately,  the  cyber  environment  is  com¬ 
pletely  different  from  the  nuclear  environment,  where 
nuclear  weapons  can  be  traced  and  counted.  In  order 
to  be  effective,  cyber  deterrence  must  overcome  a  few 
practical  obstacles.57  The  first  and  most  obvious  prob¬ 
lem  is  attribution  —  identification  of  the  real  source  of 
a  cyber  attack.  Cyber  attacks  can  be  anonymized  in 
many  ways  (e.g.,  by  using  proxies  or  stolen  computer 
accounts).  The  Internet  is  not  well  equipped  to  trace- 
back  packets  and,  in  the  best  case,  might  identify  an 
Internet  protocol  (IP)  address.  For  malware  attacks, 
the  creator  is  very  difficult  to  discover  from  code 
disassembly. 

The  second  practical  problem,  if  attribution  can 
be  solved,  is  credible  capacity  for  destructive  retalia¬ 
tion.  Few  doubt  the  offensive  capability  of  the  United 
States,  but  it  has  not  been  demonstrated  yet.  In  cyber 
warfare,  there  is  no  real  reason  to  reveal  "cyber  weap¬ 
ons"  unnecessarily.  There  is  concern  that  revelations 
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of  U.S.  full  offensive  capability  could  trigger  a  global 
cyber  arms  race.  Also,  a  software  cyber  weapon  could 
be  reverse  engineered  by  an  unfriendly  country. 

A  third  problem  is  demonstrated  willingness  to 
retaliate  with  destructive  force.  The  United  States  has 
not  issued  specific  conditions  for  retaliation  but  has 
left  all  options  open.  The  2011  International  Strategy  for 
Cyberspace  declared: 

When  warranted,  the  United  States  will  respond  to 

hostile  acts  in  cyberspace  as  we  would  to  any  other 

threat  to  our  country.58 

Furthermore,  the  United  States  will  reserve  the 
right  to  use  all  necessary  means  —  diplomatic,  infor¬ 
mational,  military,  and  economic  —  as  appropriate  and 
consistent  with  applicable  international  law,  in  order 
to  defend  our  Nation,  our  allies,  our  partners,  and  our 
interests.59 

STRATEGIC  INITIATIVE  5:  DoD  will  leverage  the 
nation's  ingenuity  through  an  exceptional  cyber 
workforce  and  rapid  technological 
innovation. 

This  strategic  initiative  aims  to  maintain  U.S. 
superiority  through  investment  in  its  people,  technol¬ 
ogy,  and  R&D  to  create  and  sustain  the  cyberspace 
capabilities.60 

The  first  part  of  the  strategy  consists  of  improve¬ 
ments  made  to  personnel  recruiting  and  hiring.  Spe¬ 
cific  ideas  include: 

•  Streamlining  hiring  practices; 

•  Exchange  programs  to  allow  for  "no  penalty" 
cross-flow  of  cyber  professionals  between  the 
public  and  private  sectors; 
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•  Cross-generational  mentoring  programs; 

•  Development  of  Reserve  and  National  Guard 
cyber  capabilities;  and, 

•  Exchanges  and  continuing  education  programs. 

The  second  part  of  the  strategy  addresses  invest¬ 
ment  in  technology,  rather  than  people,  by  revising 
processes  for  acquisition  of  information  technology. 
The  new  process  will  adopt  five  principles: 

1.  Reducing  DoD's  acquisition  processes  and  regu¬ 
lations  to  cycles  of  12  to  36  months; 

2.  Incremental  development  and  testing  instead  of 
a  single  deployment  of  large,  complex  systems; 

3.  Sacrificing  some  customization  to  speed  up 
incremental  improvements; 

4.  Adopting  differing  levels  of  oversight  based  on 
DoD's  prioritization  of  critical  systems;  and, 

5.  Improving  security  measures  for  all  pur¬ 
chased  software  and  hardware,  using  an  in-depth 
security  approach. 

The  strategic  initiative  points  to  the  National 
Cyber  Range  as  a  means  to  "test  and  evaluate  new 
cyberspace  concepts,  policies,  and  technologies."61  In 
addition,  companies  will  be  incentivized  through  "ini¬ 
tiatives  such  as  Small  Business  Innovation  Research, 
creative  joint  ventures,  and  targeted  investments."62 
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Significance  and  Novelty. 

For  the  most  part,  this  strategic  initiative  does  not 
say  much  new.  The  need  for  a  well-trained  workforce 
is  an  obvious  theme  repeated  in  previous  government 
publications.  Hopefully,  DoD  has  already  started  to 
build  up  its  cyber  workforce.  The  need  for  technology 
innovation  is  also  obvious,  considering  the  rapid  rate 
of  progress  in  information  technologies.  The  last  point 
about  incentivizing  companies  somewhat  repeats 
Strategic  Initiative  3. 

It  might  be  argued  that  this  strategic  initiative  is 
already  ongoing.  Its  general  purpose  is  not  to  pro¬ 
pose  revolutionary  actions  but  to  declare  a  message  to 
mainly  two  audiences:  the  private  sector  and  foreign 
adversaries.  To  the  private  sector,  the  strategy  conveys 
an  intention  to  acquire  new  defense  technologies  and 
hire  cyber  professionals.  To  foreign  adversaries,  the 
message  is  DoD's  intention  to  achieve  and  maintain 
superiority  in  cyberspace. 

The  strategy  is  incomplete  in  addressing  R&D. 
While  the  strategic  initiative  aims  for  "technologi¬ 
cal  innovation,"  it  gives  much  more  attention  to  the 
DoD  acquisition  process  than  to  investment  in  R&D. 
It  is  not  clear  how  innovations  will  be  stimulated.  For 
example,  nothing  is  mentioned  about  investment  in 
universities  or  scientific  labs  for  basic  research,  or  how 
basic  research  will  be  translated  into  new  products  to 
acquire.  It  seems  to  be  implicitly  assumed  that  small 
businesses  will  automatically  innovate. 
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Practicality. 

The  actions  in  this  strategic  initiative  are  straight¬ 
forward  and  hopefully  already  on  their  way  to  imple¬ 
mentation.  Unfortunately,  this  strategic  initiative 
appears  to  depend  highly  on  defense  funding. 

An  agile  acquisition  process  is  being  implemented 
by  the  Defense  Advanced  Research  Projects  Agency 
(DARPA).  An  example  is  the  Cyber  Fast  Track  pro¬ 
gram  that  strives  to  fund  small  research  projects  with 
rapid  approval  (perhaps  less  than  a  week).63  The 
research  projects  are  carried  out  by  individuals  or 
small  groups  for  a  few  months.  Hopefully,  the  short 
timescales  will  lead  to  better  adaptiveness  to  quickly 
changing  security  threats. 

CRITICAL  OBSERVATIONS 

After  reading  and  evaluating  each  strategic  initia¬ 
tive,  some  general  observations  about  the  unclassified 
version  of  the  DoD  Strategy  for  Operating  in  Cyberspace 
can  be  made. 

•  The  strategy  focuses  mostly  on  technology, 
resources,  and  cooperation.  Human  resources 
are  addressed  only  in  part  of  the  last  initiative. 

•  The  strategy  emphasizes  defense  and  preven¬ 
tion.  The  classified  version  of  the  strategy  obvi¬ 
ously  includes  more  points  (e.g.,  presumably 
offensive  capabilities). 

•  The  strategic  initiatives  mostly  repeat  themes 
that  have  appeared  in  previous  government 
publications.  The  ideas  are  uncontrover- 
sial  and  sensible,  but  no  surprising  ideas  are 
really  offered. 
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•  Some  of  the  actions  are  already  in  progress, 
such  as  treating  cyberspace  as  an  operational 
domain;  active  defense;  public-private  coop¬ 
eration;  cyber  workforce  recruiting;  and  rapid 
technology  acquisition.  In  this  sense,  the  DoD 
Strategy  is  mostly  an  affirmation  of  current 
directions. 

•  The  strategy  does  not  offer  solutions  to  several 
practical  challenges,  such  as  how  to  implement 
advanced  technologies  for  network  resilience 
and  robustness  into  DoD's  computer  networks; 
how  to  accurately  detect  intrusions  in  real 
time;  how  to  properly  incentivize  private  sec¬ 
tor  information  sharing;  and  how  to  effectively 
deter  cyber  attacks. 

•  The  strategy  does  not  distinguish  between  dif¬ 
ferent  types  of  adversaries  —  nation-states,  for¬ 
eign  intelligence,  hacktivists,  criminals,  hack¬ 
ers,  terrorists  —  nor  does  the  strategy  address 
initiatives  for  specific  types  of  adversaries. 

•  The  unclassified  version  of  the  strategy  neglects 
to  address  important  issues:  offense;  attribu¬ 
tion;  rules  for  proper  response  to  cyber  attacks; 
and  metrics  of  progress  toward  implementa¬ 
tion.  These  issues  are  discussed  here. 

Offense. 

The  unclassified  DoD  Strategy  for  Operating  in  Cyber¬ 
space  is  primarily  concerned  with  defensive  protection 
of  the  information  infrastructure.  However,  it  is  obvi¬ 
ous  that  the  United  States,  like  all  modern  nations, 
would  be  foolish  not  to  build  up  offensive  as  well  as 
defensive  capabilities.  The  2004  National  Military  Strat¬ 
egy  of  the  United  States  of  America  stated  plainly  that 
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cyber  capabilities,  "both  offensive  and  defensive,  are 
key  to  ensuring  U.S.  freedom  of  action  across  the  bat- 
tlespace."64  Also,  the  Air  Force  has  said  "cyberspace 
operations  seek  to  ensure  freedom  of  action  across 
all  domains  for  U.S.  forces  and  allies,  and  deny  that 
same  freedom  to  adversaries,"  implying  the  capability 
for  offense.65 

It  has  been  reported  that  the  United  States  and 
Israel  were  responsible  for  developing  the  Stuxnet 
malware  aimed  at  sabotaging  the  Natanz  uranium 
enrichment  plant  in  Iran.66  Stuxnet  spread  through 
the  internal  computer  network  in  search  of  program¬ 
mable  logic  controllers  controlling  gas  centrifuges 
and  reportedly  spun  the  centrifuges  at  rates  outside 
of  their  normal  operating  range,  causing  perhaps  a 
thousand  centrifuges  to  fail.  If  true,  Stuxnet  would 
qualify  as  the  first  "cyber  weapon"  launched  by 
one  nation  to  damage  another's  physical  infrastruc¬ 
ture.  Shortly  after  Stuxnet  was  discovered,  it  was 
suspected  of  belonging  to  a  growing  arsenal  of  U.S. 
cyber  weapons.67 

A  strategy  for  building  offensive  capability  has 
not  been  stated,  most  likely  because  of  concern  about 
stimulating  a  global  cyber  arms  race.  If  an  offensive 
strategy  will  be  developed,  it  should  include  clear 
guidelines  for  how  and  when  offensive  actions  can  be 
carried  out  against  another  nation. 

Attribution. 

The  DoD  Strategy  does  not  specifically  address  the 
problem  of  attribution.  As  mentioned  earlier,  attribu¬ 
tion  is  an  enormous  challenge,  and  the  plausible  deni- 
ability  afforded  by  anonymity  is  a  great  contributing 
factor  to  cyber  attacks.  Adversaries  are  encouraged 
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by  the  fact  that  the  real  source  of  attacks  can  be  eas¬ 
ily  hidden.  Even  if  an  adversary  is  suspected,  there  is 
typically  no  hard  evidence  proving  the  perpetrator  of 
an  attack. 

Technically,  the  real  source  is  easy  to  hide  because 
the  Internet  was  not  designed  to  validate  source  IP 
addresses,  traceback  packets,  or  record  details  of 
packets  along  their  routes  (due  to  the  vast  volumes  of 
traffic).  Even  if  packets  could  be  traced  back  to  an  IP 
address,  adversaries  could  confuse  trace  back  by  using 
anonymizing  proxies  or  hijacked  accounts  as  interme¬ 
diaries.  Moreover,  many  attacks  are  carried  out  by 
malware,  and  the  creator  of  malware  is  very  difficult 
to  discover  from  disassembling  the  malware  code.  In 
addition,  the  lack  of  international  laws  hinders  trace- 
back  when  packets  cross  national  boundaries. 

Rules  for  Proper  Response  to  Cyber  Attacks. 

Given  capabilities  for  offense  and  attribution, 
retaliation  for  cyber  attacks  is  possible.  Retaliation 
might  consist  of  a  physical  response,  which  is  implied 
by  the  declaration  of  cyberspace  to  be  an  operational 
domain,  risking  the  possibility  of  a  cyber  attack  esca¬ 
lating  into  a  conventional  war.  However,  the  unclas¬ 
sified  DoD  Strategy  for  Operating  in  Cyberspace  is  silent 
on  guidelines  for  proper  response,  i.e.,  what  is  the 
threshold  for  military  response,  and  what  qualifies  as 
"use  of  force"?  Guidelines  must  take  into  account  the 
difficulty  of  attribution  and  assessment  of  damages  in 
the  cyber  domain. 

It  has  been  reported  that  President  Obama  signed 
executive  orders  in  June  2011  describing  rules  of 
engagement  for  U.S.  military  commanders  in  carrying 
out  cyber  attacks  and  other  computer-based  opera- 
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tions  against  other  countries.  The  orders  supposedly 
provide  guidance  on  when  presidential  approval 
is  needed  to  initiate  attacks  and  on  conditions  when 
the  military  can  respond  to  an  intrusion  by  active 
retaliation. 

A  strategy  should  address  two  issues.  First,  when 
does  a  cyber  attack  justify  a  military  response?  DoD 
reportedly  has  been  considering  an  idea  of  "equiva¬ 
lence."  For  example,  a  conventional  response  could  be 
warranted  if  a  cyber  attack  results  in  the  same  level 
of  death  or  physical  damage  that  a  conventional  mili¬ 
tary  attack  would  cause.  A  traditional  legal  test  is  the 
"Caroline  Test,"  where  potential  forcible  actions  taken 
by  states  for  self-defense  may  be  considered  to  be  law¬ 
ful  only  if  they  are  subject  to  the  three  conditions  of 
immediacy,  necessity,  and  proportionality.68  The  first 
two  conditions  mean  that  the  threat  is  imminent,  and 
peaceful  alternatives  are  not  an  option.  These  condi¬ 
tions  would  probably  be  easy  to  meet  in  the  event  of 
a  major  cyber  attack.  The  third  condition  means  that 
the  response  should  be  proportional  to  the  threat.  This 
condition  may  be  the  most  challenging  to  meet  due  to 
the  interconnected  nature  of  computer  networks. 

Michael  Schmitt  has  proposed  a  more  elaborate 
framework,  considering  the  intensity  of  damage  in 
each  of  seven  areas  (severity,  immediacy,  directness, 
invasiveness,  measurability,  presumptive  legitimacy, 
and  responsibility)  to  assess  the  composite  effects  of  a 
cyber  attack.69 

The  second  question  that  should  be  addressed  is, 
What  is  an  appropriate  response?  Traditional  wars 
are  guided  by  the  Laws  of  Armed  Conflict  (LOAC) 
derived  from  a  series  of  international  treaties,  such  as 
the  Geneva  conventions,  as  well  as  traditional  prac¬ 
tices  that  the  United  States  and  other  nations  consider 
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customary  international  law.  Obviously  cyber  warfare 
is  not  covered  by  existing  treaties,  but  the  question  is 
whether  the  principles  of  LO AC  —  military  necessity, 
distinction,  and  proportionality  —  should  be  applicable 
to  cyber  warfare.  Military  necessity  refers  to  restric¬ 
tions  on  combat  actions  to  only  those  necessary  to 
accomplish  a  legitimate  military  objective.  Distinction 
refers  to  restriction  of  combat  targets  to  valid  military 
targets  (versus  noncombatant  targets  such  as  civilians, 
civilian  property,  and  prisoners  of  war).  Proportion¬ 
ality  is  a  restriction  on  excessive  use  of  force  beyond 
that  needed  to  accomplish  the  military  objective. 

Metrics  of  Progress. 

For  a  long  time,  the  field  of  security  has  lacked  a 
mathematical  science  to  answer  two  fundamentally 
important  questions:  How  far  has  the  DoD  Strategy 
been  implemented,  and  how  secure  are  U.S.  assets? 
Today,  it  is  difficult  to  quantify  the  security  of  a  com¬ 
puter  system.70  Therefore,  it  is  hard  to  have  confidence 
or  trust  in  a  protected  system.  In  current  practice, 
security  is  assessed  experimentally  by  the  number  of 
vulnerabilities  found  or  the  results  of  penetration  test¬ 
ing  (or  red  teaming). 

The  closest  thing  to  science  in  security  may  be  risk 
management.  The  mathematics  behind  risk  manage¬ 
ment  may  give  the  appearance  of  precision,  but  input 
parameters  such  as  likelihood  of  attacks  are  notori¬ 
ously  difficult  to  estimate.  As  a  result,  the  calculations 
of  risk  are  essentially  best  guesses.  There  is  no  way 
to  verify  calculated  risks;  even  the  precision  of  calcu¬ 
lated  risks  is  hard  to  quantify. 

The  DoD  Strategy  does  not  address  the  need  for 
cyber  security  metrics  that  are  currently  missing.  It 


34 


may  be  possible  to  measure  actions  taken  in  each  of 
the  strategic  initiatives,  but  in  the  end,  little  could  be 
proven  about  the  strength  of  cyber  security  of  U.S. 
assets  without  appropriate  metrics. 

CONCLUSIONS  AND  RECOMMENDATIONS 

DoD  faces  a  rapidly  changing  environment  of 
cyber  threats.  Fortunately,  DoD  is  one  of  the  best  pre¬ 
pared  organizations  in  the  world.  As  noted  earlier,  it 
has  undertaken  many  actions  to  fortify  its  capabilities 
(such  as  establishment  of  the  USCYBERCOM)  and 
defensive  position  to  protect  the  nation's  military  net¬ 
works  and  critical  infrastructures. 

With  the  DoD  Strategy  for  Operating  in  Cyberspace, 
important  messages  have  been  conveyed  to  the  Amer¬ 
ican  public,  other  government  agencies,  the  private 
sector,  and  other  nations.  The  most  important  mes¬ 
sage  is  that  the  DoD  is  serious  about  taking  further 
actions  to  maintain  superiority  in  cyberspace.  Another 
message  is  recognition  that  neither  the  DoD  (nor  any 
single  agency)  can  protect  all  of  cyberspace  by  itself, 
and  the  DoD  is  appealing  for  cooperation  from  the 
private  sector  and  like-minded  nations. 

The  ultimate  question  is  whether  the  strategy  is 
adequate  to  maintain  DoD  superiority  in  the  face  of 
existing  and  future  cyber  threats.  The  GAO  describes 
a  complete  national  cyber  strategy  as  one  that: 

•  Includes  well-defined  strategic  objectives; 

•  Provides  understandable  goals  for  the  govern¬ 
ment  and  the  private  sector; 

•  Articulates  cyber  priorities  among  the 
objectives; 

•  Provides  a  futuristic  vision  of  what  secure 
cyberspace  should  be; 
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•  Seeks  to  integrate  federal  government 
capabilities; 

•  Establishes  metrics  to  gauge  progress  against 
the  strategy;  and, 

•  Provides  enforcement  and  accountability  in  the 
event  of  progress  shortfalls.71 

The  DoD  Strategy  for  Operating  in  Cyberspace  falls 
short  in  this  list.  For  example,  it  is  not  clear  about  priori¬ 
ties,  futuristic  vision,  progress  metrics,  or  enforcement 
and  accountability.  Some  of  these  inadequacies  were 
already  mentioned  in  an  earlier  section.  It  is  important 
to  recognize  that  the  DoD  Strategy  will  undoubtedly 
be  revised;  strategies  must  continually  evolve  to  adapt 
to  the  changing  threat  landscape.  After  reading  and 
evaluating  each  strategic  initiative  in  the  current  DoD 
Strategy,  recommendations  for  future  versions  of  the 
strategy  include: 

•  Expansion  of  detailed  plans  of  actions  to  take 
for  each  strategic  initiative; 

•  Explanations  of  how  to  find  solutions  to  practi¬ 
cal  challenges  (e.g.,  how  to  implement  advanced 
technologies  for  network  resilience  and  robust¬ 
ness  on  a  large  scale,  how  to  accurately  detect 
and  prevent  intrusions  in  real  time,  how  to 
determine  effective  incentives  for  private  sec¬ 
tor  information  sharing); 

•  Elaboration  on  specific  strategies  to  address 
different  types  of  adversaries  who  have  differ¬ 
ent  capabilities,  skills,  and  goals; 

•  Elaboration  on  specific  mechanisms  to  stimu¬ 
late  technological  innovations  and  translate 
research  results  into  new  defense  products; 

•  Additional  consideration  of  omitted  issues, 
including  attribution,  rules  for  proper  response 
to  cyber  attacks,  and  security  metrics;  and 
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•  Proposals  of  novel,  forward-looking  ideas  and 
new  ways  of  thinking  (e.g.,  effective  cyber 
deterrence). 

It  should  be  straightforward  for  future  versions  of 
the  DoD  Strategy  to  fill  in  the  recommended  details. 
Perhaps  a  greater  concern  is  a  noticeable  lack  of  novel 
ideas.  The  DoD  Strategy  mostly  deals  with  activities 
already  in  progress,  which  are  probably  not  much 
different  from  ongoing  activities  in  other  nations. 
The  DoD  Strategy  neglects  to  identify  unique  U.S. 
advantages  and  resources,  and  how  to  capitalize  on 
these  unique  traits  to  maintain  U.S.  superiority.  In  the 
absence  of  a  unique  strategy,  the  United  States  may 
very  well  be  able  to  build  effective  defensive  and 
offensive  capabilities,  but  it  faces  the  risk  of  losing  a 
superior  advantage  if  other  nations  reach  parity  by 
doing  the  same  things. 
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APPENDIX 


Several  U.S.  documents  related  to  national  defense 
and  national  security  preceded  the  2011  DoD  Strat¬ 
egy  for  Operating  in  Cyberspace,  as  listed  here.  They 
place  the  DoD  Strategy  in  a  context  of  evolving  ideas 
and  themes. 


Date 

Document 

Major  Themes  Related  to 
Cyber  Security 

Feb.  2003 

The  National  Strategy  to  Secure 
Cyberspace  ( www.us-cert.gov/ 
reading  room/cyberspace  strategy, 
pdf) 

National  cyber  security 
response  system;  reduction 
of  vulnerabilities  to  cyber 
attacks;  cyber  security 
awareness;  secure 
government  cyberspace; 
national  and  international 
cooperation. 

2004 

The  National  Military  Strategy 
of  the  United  States  of  America 
(www.  defense,  go  v/ne  ws/mar2005/ 
d20050318nms.pdf) 

Joint  military  operations 
across  air,  land,  sea,  space, 
and  cyberspace  domains. 

Dec.  2006 

The  National  Military  Strategy  for 
Cyberspace  Operations  (www.dod. 
mii/pubs/foi/joint_staff/jointStaff_ 
jointOperations/07-F-21 05doc1.pdf) 

Investment  in  science  and 
technology;  cyber  workforce 
training;  partnerships 
with  industry  and  nations; 
integrate  cyberspace 
capabilities  across  military 
operations;  build  capacity; 
manage  cyber  risks. 

2009 

DHS  National  Infrastructure  Protection 
Plan  ( www.dhs.gov/xlibrary/assets/ 
NiPP Pian.pdf) 

Public-private  partnerships 
to  address  threats  to  critical 
infrastructures. 

Feb.  2010 

Quadrennial  Defense  Review  Report 
(www.  defense,  go  v/qdr/images/QDR 
as_of_12Feb10_1000.pdf) 

Network  resilience;  build 
capacity;  centralization 
of  cyber  operations; 
international  partnerships. 

May  2010 

National  Security  Strategy  (www. 
white  house,  go  v/sites/default/files/ 
rss  viewer/national  security  strategy, 
pdf) 

Investment  in  cyber 
workforce;  investment 
in  technology;  network 
resilience;  private-public 
partnerships;  international 
partnerships. 
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May  2011 


International  Strategy  for  Cyberspace 
( www. whitehouse.gov/sites/default/ 
files/rss_viewer/internationalstrategy_ 
cyberspace.pdf) 


International  cooperation; 
public-private  partnerships; 
network  resilience;  cyber 
deterrence;  build  capacity; 
Internet  freedom. 


More  visually,  this  list  shows  how  previous 
strategy  documents  have  strongly  influenced  the 
DoD  Strategy. 


Table  1.  Influence  of  Previous  Documents. 
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